GSA’s McClure: Cloud computing and open data in federal government aren’t going away

To those in media, government or commentariot who think that cloud computing or open data might be going away in federal government after the departure of federal CIO Vivek Kundra next month, Dave McClure offered a simple message today: these trends are “inevitable.”

Cloud computing, for instance, will “survive if we change federal CIOs,” he said. “It’s here, and it’s not going away. McClure describes cloud computing as a worldwide global development in both business and government, where the economics and efficiencies created are “compelling.” The move to the cloud, for instance, is behind US plans to close or consolidate some 800 data centers,, including hundreds by the end of 2011.

Cloud computing was just one of five macro trends that McClure “listed at this year’s FOSE Conference in Washington, D.C. FOSE is one of the biggest annual government IT conferences.
inevitable. Here’s the breakdown:

1) Cloud computing

The GSA is the “engine behind the administration’s ‘cloud-first’ strategy,” said McClure, lining up the procurement details for government to adopt it. He said that he’s seen “maturity” in this area in the past 18-24 months. Two years ago, National Institute of Standards and Technology (NIST) was spending time at conferences and panels defining it. Now we have cloud deployments that are robust and scalable, said McClure, including infrastructure as a service and email-as-a-service.

Government cloud deployments now includes public facing websites, storage, disaster recovery andare beginning to move into financial apps.

2) Collaboration and engagement

The cloud is teaching us that once we free data, make it accessible, and make it usable, it’s
creating opportunities for effective collaboration with citizens, said McClure, noting that this trend is in its “early stages.”

3) Open data and big data

Data.gov has “treasure troves” of data that entrepreneurs and citizens are turning into hundreds of applications and innovations, said McClure. Inside of government, he said that access to data is creating a “thirst” for data mining and business intelligence that help public servants work more efficient.

4) Mobile

Mobile computing will be the next wave of innovation, said McClure, delivering value to ourselves and delivering value to citizens. Government is “entrenched in thinking about creation of data on websites or desktop PCs,” he said. That perspective is, in this context, dated. Most of the audience here has a smartphone, he pointed out, with most interactions occurring on the hip device. “That’s going to be the new platform,” a transition that’s “absolutely inevitable,” he said, “despite arguments about digital divide and broadband access.”

5) Security

As McClure noted, you have to include security at a government IT conference. The need for improved security on the Web, for critical infrastructure, on email and where ever else government has exposed attack surface is clear to all observers.

Podcast: IT Security, Internet Freedom and Open Government at Threatpost

This morning, I was privileged to join Dennis Fisher on the Digital Underground podcast to talk about IT security, open government, Internet freedom and open data movements, including how they’re affecting IT security.

ListenIT Security, Internet Freedom and Open Government [MP3]

Fisher is a founding editor of the Threatpost blog and is one of the best information security journalists in the industry and a former colleague from TechTarget.

Over the course of the podcast, we discussed the different ways in which Internet freedom and privacy play into the current climate online. (We also talked a bit about Twitter and journalism.) As 2011 matures, legitimate concerns about national security will continue to be balanced with the spirit of open government expressed by the Obama administration.

The issues created between Wikileaks and open government policies are substantial. Open data may be used for accountability, citizen utility and economic opportunity. But as federal CIO Vivek Kundra said to Harvard Business School students studying Data.gov last year, the transparency facet in the Obama administration’s open government initiative has multiple layers of complexity.

Fisher and I explore these issues, along with a number of the complexities involved with improving information sharing between the public and private sector when it comes to vulnerabilities and threats. Currently, over 80% of the nation’s critical infrastructure is in the private sector.

Related stories:

2011 Trends: National Strategy for Trusted Identities in Cyberspace highlights key online privacy, security challenges

Blackberrys, cell phones and communications devices are tagged with post-its during a briefing on Afghanistan and Pakistan in the Cabinet Room of the White House, March 26, 2009. (Official White House Photo by Pete Souza)
Blackberrys, cell phones and communications devices are tagged with post-its during a briefing on Afghanistan and Pakistan in the Cabinet Room of the White House, March 26, 2009. (Official White House Photo by Pete Souza)

The upcoming release of the final version of the White House “National Strategy for Trusted Identities in Cyberspace” highlights three key trends that face the world in 2011: online identity, privacy and security. Governments need ways to empower citizens to identify themselves online to realize both aspirational goals for citizen-to-government interaction and secure basic interactions for commercial purposes.

Earlier today, Stanford hosted an event today where U.S. Commerce Secretary Gary Locke and White House cybersecurity coordinator Howard Schmidt talked about the Obama administration’s efforts to improve online security and privacy at the Stanford Institute for Economic Policy Research (SIEPR). Here’s the NSTIC fact sheet the administration posted last year.

“As we look at the innovation engine that drives many of the things we’re doing, what does it mean to sit there as we’ve come together today,” asked Schmidt, “bringing these things together to overcome some of these risks associated with the technology we’ve deployed over the past 20 some odd years?”

The administration took public feedback on the document at NSTIC IdeaScale, which is now closed. (For a screenshot, see the story on IdeaScale on MSNBC.com.) “Every day at the end of the day. I would go back and read some of those comments,” said Schmidt today. “Some of them quite honestly were pretty silly. Other of them were very insight full and gave us some good thoughts about how can we do this right? How can we create a document that really does those things the secretary mentioned such as privacy enhancing but also giving us better trust?”

Schmidt took to the White House blog again today to announce a “National Program Office for Enhancing Online Trust and Privacy.”

Today, at Stanford University, Commerce Secretary Gary Locke and I were pleased to announce that the Commerce Department will host a National Program Office (NPO) in support of the National Strategy for Trusted Identities in Cyberspace (NSTIC).  As I’ve written previously, the NSTIC fulfills one of the action items in theCyberspace Policy Review (pdf) and is a key building block in our efforts to secure cyberspace.

This holiday season, consumers spent a record $30.81 billion in online retail spending, an increase of 13 percent over the same period the previous year.  This striking growth outshines even the notable 3.3-5.5 percent overall increase in holiday spending this past year.  While clearly a positive sign for our economy, losses from online fraud and identity theft eat away at these gains, not to mention the harm that identity crime causes directly to millions of victims.  We have a major problem in cyberspace, because when we are online we do not really know if people, businesses, and organizations are who they say they are. Moreover, we now have to remember dozens of user names and passwords. This multiplicity is so inconvenient that most people re-use their passwords for different accounts, which gives the criminal who compromises their password the “keys to the kingdom.”

We need a cyber world that enables people to validate their identities securely, but with minimal disclosure of information when they’re doing sensitive transactions (like banking) – and lets them stay anonymous when they’re not (like blogging). We need a vibrant marketplace that provides people with choices among multiple accredited identity providers – both private and public – and choices among multiple credentials. For example, imagine that a student could get a digital credential from her cell phone provider and another one from her university and use either of them to log-in to her bank, her e-mail, her social networking site, and so on, all without having to remember dozens of passwords. Such a marketplace will ensure that no single credential or centralized database can emerge. In this world, we can cut losses from fraud and identity theft, as well as cut costs for businesses and government by reducing inefficient identification procedures. We can put in-person services online without security trade-offs, thereby providing greater convenience for everyone.

This is the world envisioned in the NSTIC.  We call it the Identity Ecosystem.  We will be working to finalize the NSTIC in the coming months, but that is only the beginning of the process. I’m excited to be working with Secretary Locke. The Commerce Department is perfectly suited to work with the private sector to implement the NSTIC. In addition, there are other departments and agencies with strategic roles to play as well. Above all though, we look to the leadership of the private sector. Therein lies the key to success. Now is the time to move forward with our shared vision of a better, more secure cyberspace.

Why NSTIC Matters

The policy that the United States government makes towards the Internet has the potential to affect every person online in 2011, as advocates know, so how this is carried out bears close watching. The Center for Democracy and Technology filed key comments on NSTIC last year, including a key issue: “We alerted the Commerce Department to our concern about NSTIC’s current focus on the use of government credentials for private transactions: A pervasive government-run online authentication scheme is incompatible with fundamental American values,” wrote Heather West regarding the cybersecurity policy proposal.

The issue is at once simple and enormously complex, as Jim Dempsey from the Center for Democracy and Technology highlighted today. Government needs a better online identity infrastructure to improve IT security, online privacy, and support ecommerce but can’t create it itself, said Dempsey, outlining the key tension present. Dempsey advocated for a solution for online identity that lies within a broader trust framework and that is codified within a baseline federal consumer privacy law.

Some of the answers to the immense challenge of securing online privacy and identity won’t be technical or legislative at all. They lie in improving the digital literacy of for online citizens. That very human reality was highlighted after the massive Gawker database breach last year, when the number of weak passwords used online became clear. Schmidt highlighted the root caused of passwords today:

The reason most people do that is because we have to worry about remembering so many different passwords and then there’s so many layers of complexity and, complexity that we have to worry about, we have different time frame. We replace them every 30-day, 60 days, 90 days and it becomes really cumbersome. And recent survey found that 46% of the people surveyed never ever have changed their passwords and 71% use the same password with over and over and over again. From reading an on-line blog to doing sensitive financial transactions.

Others answers may be founded in creating online trust frameworks, which were a key initiative in 2010 for the federal government. Multifactor authentication, where more than one forms of identity are used in transactions, will be part of that vision. Schmidt described, loosely, what that might look like.

I go to a store. I go to a grocery store in some cases. I do some level of proofing, whatever I want to wind up doing, whether it’s the lowest level or the highest level to get an online identity stored on a token. A digital identity. Whether it’s on a USB drive or whether it’s on a smart card, I have the ability to do something beyond what I’m doing now. I go to log-in to these accounts. I use the USB device, I use a smart card. I use a one time password on my mobile device that no longer puts me in a position where I’ve been in the past where I can wind up making one small mistake and paying for it for years. But then I also get the log-in to my web mail account. That credential is passed on as well. So I have the ability to do these things seamlessly without all the baggage and overhead that goes with it. But then here comes the true test – this web mail – this phishing e-mail – comes in, and working together between the token and my digital identity and the browser, it stops me from doing things that are going to be harmful. And I had the ability to control that. I have the ability to set this up. And then it keeps me from becoming a victim of fraud.

That combination of physical tokens that interface with commercial and communications infrastructure to authenticate a consumer or online user are one vision of an identity ecosystem. Given the commercial needs of the moment, it should not be a surprise that the Department of Commerce is a key player. Secretary Locke offered perspective on the challenges that face the nation in 2011. [Full unedited transcript]

Let’s flash forward to today to 2011. Nowadays the world does an estimated $10 trillion of business online. Nearly every transaction you can think of is being done over the Internet. Consumers paying their utility bills, even from smartphones. People downloading music, movies and books online. Companies from the smallest local store to bed and breakfasts, to multinational corporations, ordering goods, paying vendors, selling to customers, all around the world. All over the Internet. E-commerce sales for the third quarter of 2010 were estimated at over $41 billion, up almost 14% over last year. And early reports indicate that the recent holiday buying season saw similar growth with year over year sales up by over 13%.

But despite these ongoing successes, the reality that the Internet still faces something of a trust issue. And it will not retch its full potential until users and consumers feel more secure than they do today when they go on-line. The threats on the Internet seem to be proliferating just as fast as the opportunities. Data breaches, malware, ID theft and spam are just some of the most commonly known invasions of a user’s privacy and security. And people are worried about their personal information going out and parents, like me, are worried about unwarranted sexually explicit material coming in before their children. And the landscape is getting more complex as dedicated hackers undertake persistent targeted attacks and develop ever more sophisticated frauds.

The approach that Locke outlined will apparently be housed within the Department of Commerce, a choice that is likely relevant to the scale and growth of e-commerce online:

The end game of course, is to create an identity ecosystem where individuals and organizations can complete online transactions with greater confidence, putting greater trust in the online identities of each other, and greater trust in the infrastructure that the transactions run over. Let’s be clear, we’re not talking about a national ID card. We’re talking about a government controlled system. But what we are talking about is enhancing online security and privacy, and reducing, and perhaps even eliminating, the need to memorize a dozen password through the creation and use of more trusted digital identities. To accomplish this, we’re going to need your help. And we need the private sector’s expertise and involvement in designing, building and implementing this identity ecosystem. To succeed we’ll also need a national program office at the Department of Commerce focused on implementing our trusted identities strategy.

For more context, look back to Schmidt’s introduction of the NSTIC at the WhiteHouse.gov blog last year:

Cyberspace has become an indispensable component of everyday life for all Americans. We have all witnessed how the application and use of this technology has increased exponentially over the years. Cyberspace includes the networks in our homes, businesses, schools, and our Nation’s critical infrastructure. It is where we exchange information, buy and sell products and services, and enable many other types of transactions across a wide range of sectors. But not all components of this technology have kept up with the pace of growth. Privacy and security require greater emphasis moving forward; and because of this, the technology that has brought many benefits to our society and has empowered us to do so much — has also empowered those who are driven to cause harm.

Today, I am pleased to announce the latest step in moving our Nation forward in securing our cyberspace with the release of the draft National Strategy for Trusted Identities in Cyberspace (NSTIC). This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities.

The NSTIC, which is in response to one of the near term action items in the President’s Cyberspace Policy Review, calls for the creation of an online environment, or an Identity Ecosystem as we refer to it in the strategy, where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on. For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers – both public and private – to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.). Another key concept in the strategy is that the Identity Ecosystem is user-centric – that means you, as a user, will be able to have more control of the private information you use to authenticate yourself on-line, and generally will not have to reveal more than is necessary to do so.

This is all wonky stuff that may seem a bit dry to some readers, but it’s important. The intertwined issues of identify, security and online privacy are increasingly relevant to every citizens as more commerce, education, communication and elements of everyday life move onto the Internet and mobile infrastructure. This strategy is central to how the United States government will work with industry, nonprofits, citizens and other states to improve the status quo. On that count, Bob Gourley, CTO of Crucial Point, commented extensively on the NSTIC at CTOVision.

It won’t be easy. Supporting the creation of identity infrastructure and improvements to online privacy in the private sector has the potential to make the Internet more secure and convenient for users and consumers but could have unintended consequences if not carefully pursued. There’s a lot at stake. As the Stanford event organizers highlighted, “e-commerce worldwide is estimated at $10 trillion of business online annually.”

Wired’s Ryan Singel highlighted a key issue for the White House plan for online identity, perhaps even the fundamental one in today’s online identity landscape: Facebook.

Philip Kaplan, the outspoken founder of Blippy, AdBrite and Fucked Company, added a Silicon Valley developer voice to event’s panel, arguing that any system has to be simple to implement, so that developers working in their living room making a website can concentrate on building new features, not worrying about security.

The closest thing to that currently is Facebook Connect, which lets you use your Facebook credentials to login you in around the net and on mobile apps..

“I can put in one line of JavaScript and I have a login system,” Kaplan said. “But that doesn’t I’m not going to pay my taxes using Facebook Connect.”

Which is another way of it might be as dangerous for a single company to be the world’s online ID vault as it would for the government to handle that task.

And right now, with Facebook at 600 million users and $50 billion in valuation, that future seems much more likely than a standards-based, interoperative system built by geeks at the behest of the feds.

Whether an online trust framework can be a viable alternative to Facebook’s play to be the identity provider online is a first-order question, and one that deserved examination. Kudos to Singel for putting the event in that context.

Weekend Reading: The most recent version of the NSTIC follows. Look for more reporting, both here or at another outlet, once the final version is released.

National Strategy for Trusted Identities in Cyberspace

Senate considers update to Electronic Communications Privacy Act

Today in Washington, the Senate Judiciary Committee held a hearing on updating the Electronic Communications Privacy Act (ECPA), the landmark 1986 legislation that governs the protections citizens have when they communicate using the Internet or cellphones.

The statements of the witnesses before the Senate from the Commerce Department, Justice Department and witnesses are embedded in ths post. Below, find an exclusive interview with digital privacy and security researcher Chris Soghoian, who until recently was the resident geek at the Federal Trade Commission, and some context on “Digital Due Process,” the coalition of industry and privacy advocates advocating for an ECPA update.

“From the perspective of industry and definitely the public interest groups, people shouldn’t have to consider government access as one of the issues when they embrace cloud computing,” said Soghoian. “It should be about cost, about efficiency, about green energy, about reliability, about backups, but government access shouldn’t be an issue.”

While the tech blogosphere may be focused on Twitter, Facebook and inside baseball among the venture capitalists of Silicon Valley’s today, the matter before Congress should be earning more attention from citizens, media and technologists alike. Over at Forbes, Kashmir Hill made the case that industry will benefit from a clearer Electronic Communications Privacy Law. Take it one step further: updates to the ECPA have the potential to improve the privacy protections for every connected citizen, cloud computing provider or government employee. As she pointed out there:

One of the most egregious ECPA issues is how it treats the protection of email. “Why should email in someone’s inbox be treated different from something in someone’s sent folder?” asked Smith [Microsoft’s general counsel]. “Why is something unread in my junk folder subjected to greater privacy than something read in my inbox? Why does an email I sent in April have fewer privacy protections than one I sent in September?”

Smith discussed security and privacy concerns with respect to cloud computing after the hearing: Get Microsoft Silverlight

It’s important to be clear: Congress is unlikely to move on updating ECPA before the mid-term elections or in the lame duck session. That said, the hearing in the Senate today and the hearing on ECPA reform and the revolution in cloud computing in the House of Representatives tomorrow will inform any legislative action in the next Congress.

Chairman Patrick Leahy was clear in his opening statement today: American innovation has outpaced digital privacy laws.

When Congress enacted ECPA in 1986, we wanted to ensure that all Americans would enjoy the same privacy protections in their online communications as they did in the offline world, while ensuring that law enforcement had access to information needed to combat crime. The result was a careful, bipartisan law designed in part to protect electronic communications from real-time monitoring or interception by the Government, as emails were being delivered and from searches when these communications were stored electronically. At the time, ECPA was a cutting-edge piece of legislation. But, the many advances in communication technologies since have outpaced the privacy protections that Congress put in place.

Today, ECPA is a law that is often hampered by conflicting privacy standards that create uncertainty and confusion for law enforcement, the business community and American consumers.

For example, the content of a single e-mail could be subject to as many as four different levels of privacy protections under ECPA, depending on where it is stored, and when it is sent. There are also no clear standards under that law for how and under what circumstances the Government can access cell phone, or other mobile location information when investigating crime or national security matters. In addition, the growing popularity of social networking sites, such as Facebook and MySpace, present new privacy challenges that were not envisioned when ECPA was passed.

Simply put, the times have changed, and so ECPA must be updated to keep up with the times. Today’s hearing is an opportunity for this Committee to begin to examine this important issue.

“There does seem to be wide agreement that current ECPA standards are a muddled mess,” said Julian Sanchez, a research fellow at the libertarian Cato Institute, and contributing editor for Reason Magazine. “The fear about “uncertainty” expressed by Baker is ridiculous when you consider the scholarly consensus and the evident confusion in the courts trying to apply it. In reality, DOJ finds the ambiguity convenient, since they can jurisidiction-shop for magistrates whose interpretations they find congenial.”

Jim Dempsey of the Center for Democracy and Technology made the following statement on ECPA, promoting security and protecting privacy:

Justice Brandeis famously called privacy “the most comprehensive of rights, and the right most valued by a free people.” The Fourth Amendment embodies this right, requiring a judicial warrant for most searches or seizures, and Congress has enacted numerous laws affording privacy protections going beyond those mandated by the Constitution.

In setting rules for electronic surveillance, the courts and Congress have sought to balance two critical interests: the individual’s right to privacy and the government’s need to obtain evidence to prevent and investigate crimes, respond to emergency circumstances and protect the public. More recently, as technological developments have opened vast new opportunities for communication and commerce, Congress has added a third goal: providing a sound trust framework for communications technology and affording companies the clarity and certainty they need to invest in the development of innovative new services.

Today, it is clear that the balance among these three interests – the individual’s right to privacy, the government’s need for tools to conduct investigations, and the interest of service providers in clarity and customer trust – has been lost as powerful new technologies create and store more and more information about our daily lives. The protections provided by judicial precedent and statute have failed to keep pace, and important information is falling outside the traditional warrant standard.

The personal and economic benefits of technological development should not come at the price of privacy. In the absence of judicial protections, it is time for Congress to respond, as it has in the past, to afford adequate privacy protections, while preserving law enforcement tools and providing clarity to service providers.

Dempsey’s full testimony is embedded below:
Jim Dempsey Testimony on ECPA Update

The American Civil Liberties Union also had specific recommendations for Congress on ECPA reform. “The Electronic Communications Privacy Act was written in 1986 before the Web was even invented and is in desperate need of an upgrade,” said Laura W. Murphy, Director of the ACLU Washington Legislative Office. “While Americans have embraced technology as an essential part of everyday life, they have not surrendered their fundamental right to privacy. Congress must ensure that our privacy laws reflect the technology Americans use every day.”

The testimony of the ACLU on ECPA reform is embedded below:

ACLU statement on update to ECPA

The written testimony of Microsoft general counsel Brad Smith is embedded below:

Microsoft counsel Brad Smith’s Testimony before Senate

The written testimony of he Honorable James A. Baker, Esq., Associate Deputy Attorney General, United States Department of Justice, is embedded below:

Baker Testimony on ECPA Updates

The written testimony of the Honorable Cameron F. Kerry, Esq., General Counsel of the United States Department of Commerce is embedded below:

Cameron Kerry Testimony before the Senate

The written testimony of attorney Jamil Jaffer Testimony is below:

Jamil Jaffer Testimony before the Senate Judiciary Comittee

Digital Due Process

Earlier this year, I reported on the launch of DigitalDueProcess.org, a coalition pushing for an ECPA update for online privacy in cloud computing age. A powerful collection of organizations has been pushing for an update to ECPA. Members of the coalition include Google, Microsoft, AT&T, AOL, Intel, the ACLU and the Electronic Frontier Foundation. The guidance from the coalition would enshrine principles for “digital due process,” online privacy and data protection in the age of cloud computing within an updated ECPA.

The coalition set up a website, DigitalDueProcess.orgcontaining its proposals for updating ECPA in the face of new cloud computing security and online privacy challenges. Google Public Policy released a video, embedded below, describing the concept of “digital due process,”